Bug#1087200: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u4
Hi,
On Sat, Nov 09, 2024 at 06:54:39PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: lemonldap-ng@packages.debian.org, yadd@debian.org
> Control: affects -1 + src:lemonldap-ng
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> lemonldap-ng is a Web-SSO. In Bookworm, it is vulnerable to:
> - XSS issue into the "Upgrade" plugin that allow user to upgrade their
> authentication level into current session (example, use a SSL card
> instead of login/password)
> - Escalation privilege when "Adaptative auth level" is used: user can
> apply the benefit more than one time using the "refresh- session"
> mechanism
>
> [ Impact ]
> Medium seciruty issues.
>
> [ Tests ]
> Test updated, passed
>
> [ Risks ]
> Low risk: patch is trivial
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> - don't apply adaptative rules when session is refreshed
> - apply the "chackXSS" method on "Upgrade" plugin URLs
>
> [ Other info ]
> These 2 issues will have a CVE number soon
FTR/context, those are CVE-2024-52946 and CVE-2024-52947.
Regards,
Salvatore
Reply to: